As I was digging through my cache of old white papers, industry reading material and other such things on a plane ride recently (and I do a lot of those these days), I stumbled upon the "Invisible Things - Quest to the Core" presentation.
If you've not seen or read it - it's scary research and proofs coming from some of my fellow Polish researchers!
Anyway... slide 18 of 209 just caught me for a moment... it was a screen capture of a ZDNet article Ryan Naraine had written on September 2nd, 2009 titled "Snow Leopard ships with vulnerable Flash Player". I just sort of sat there for a moment... and contemplated.
How is that different today? Of course, nearly every machine today that ships with Adobe Flash player (not that I'm interested in picking on Adobe here) has a "vulnerable flash player" installed.
Given how often this plug-in gets 0day headlines, it's a wonder any computer vendors would package the player in "out of the box" for fear of shipping a vulnerable version.
Of course, the reaction is then to simply not ship Flash Player by default... thus decreasing the likelihood of shipping it with that particular vulnerability - but then the user has to go get it themselves... possibly getting it from a site that's distributing *malware* instead of Flash!
I've thought about this for a moment, and have an alternative which I think would work. I can't remember who put this idea in my head so I'm failing to give someone credit and I apologize - but WHAT IF computers came shipped with *nothing* except a bare-bones OS by default?
What if on the first boot you had to be connected to the Internet, and your computer would then connect to a *trusted site* over a *secure channel* (I'm thinking SSL auth & encrypt here, bi-directionally) - then pull down all the software you'd need from a single vendor-supplied distribution point?
This would both ensure that the software you're getting when you power your computer on is both timely, updated, and from a trusted source.
Interesting idea, isn't it? What do you think, would this work?
Cross-posted from Following the White Rabbit